Snort mailing list archives
Re: how to ignore scans from trusted hosts?
From: Neil Dickey <neil () geol niu edu>
Date: Fri, 1 Jun 2001 11:20:05 -0500 (CDT)
Tony Lill <ajlill () ajlc waterloo on ca> wrote in response to me:
Neil> Roeland Weve <roeland () office netland nl> wrote asking: >> I've seen it in a snort.conf version where the trusted host >> 'www.snort.org' was ignored from getting alerts from. Now I'm >> getting alerts from some trusted hosts and want to ignore them >> by putting them in the snort.conf file. I forgot how to do >> that, is it still possible and how can I do it? Neil> Yes, you need to write a "pass" rule, e.g.: Neil> pass tcp 205.164.217.39 80 <> any any That won't stop it from complaining about portscans, since that is handled in a pre-preocessor (before the rules are matched). What you need to to is write a tcpdump-style filter to exclude the host, eg.
That is true, but I assumed from the context of Roeland's original post that the problem he was having derived from Snort rules and not the preprocessor. I may have been incorrect in that.
not ( tcp and host trusted.host and port 80 ) and either append it to the command line or put it in a file and use the -F option to snort.
I have successfully used this syntax near the head of my snort.conf file ... preprocessor portscan-ignorehosts: 111.222.333.444/24 555.666.777.888/8 ... where the number of domains to be ignored was not large. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to ignore scans from trusted hosts? Roeland Weve (May 31)
- <Possible follow-ups>
- Re: how to ignore scans from trusted hosts? Neil Dickey (May 31)
- Re: how to ignore scans from trusted hosts? Tony Lill (Jun 01)
- Re: how to ignore scans from trusted hosts? Phil Wood (Jun 01)
- Re: how to ignore scans from trusted hosts? Tony Lill (Jun 01)
- Re: how to ignore scans from trusted hosts? Neil Dickey (Jun 01)
- Re: how to ignore scans from trusted hosts? Tony Lill (Jun 01)